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METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR SECURITY 

WITHIN A GLOBAL COMPUTER NETWORK 

BACKGROUND 

5 This description relates in general to information handling systems, and in particular to a 

method, system, and computer program product for security within a global computer network. 
In a global computer network, a user may be deceived into relying on a resource that is 
misrepresented as a trusted resource. Such deception causes various problems, including 
potential damage to goodwill of the trusted resources. 

10 

SUMMARY 

In a first embodiment, an information handling system determines whether a resource is 
likely misrepresented as a trusted resource within a global computer network. In a second 
embodiment, the information han dling system outputs an indication of whether a resource within 
15 a global computer network is recognized as a known trusted resource. 

A principal advantage of these embodiments is that deception is less likely. 



BRIEF DESCRIPTION OF THE DRAWING 

Fig. 1 is a block diagram of a system according to the illustrative embodiment. 
20 Fig. 2 is a block diagram of a representative computing system of Fig. 1. 

Fig. 3 is a block diagram of an e-commerce provider of Fig. 1. 
Fig. 4 is a block diagram of a security provider of Fig. 1. 

Fig. 5 is a conceptual illustration of various processes executed by a security provider 
administrator of Fig. 4. 
25 Fig. 6 is a block diagram of an individual customer of Fig. 1 . 

Fig. 7 is a conceptual illustration of various processes executed by a customer of Fig. 1. 
Fig. 8 is a block diagram of an entity customer of Fig. 1. 

Fig. 9 is an illustration of a 1st screen displayed by a display device of a customer of Fig. 

1. 

30 Fig. 10 is an illustration of a 2nd screen displayed by a display device of a customer of 

Fig. 1. 

Fig. 11a is an illustration of a 3rd screen displayed by a display device of a customer of 

Fig. 1. 
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Fig. 1 lb is an illustration of a 4th screen displayed by a display device of a customer of 

Fig. 1. 

Fig. 12 is an illustration of a 5th screen displayed by a display device of a customer of 

Fig. 1. 

5 Fig. 13 is an illustration of a 1st screen displayed by a display device of an e-commerce 

provider of Fig. 1. 

Fig. 14 is an illustration of a 2nd screen displayed by a display device of an e-commerce 
provider of Fig. 1. 

Fig. 15 is a flowchart of operation of a process executed by an e-commerce provider 
1 0 administrator of Fig. 3 . 

Fig. 16 is a flowchart of operation of another process executed by the e-commerce 
provider administrator of Fig. 3. 

Fig. 17 is a flowchart of operation of a process executed by a security provider 
administrator of Fig. 4. 

1 5 Fig. 1 8 is a flowchart of operation of another process executed by the security provider 

administrator of Fig. 4. 

Fig. 19 is a flowchart of operation of a process executed by a customer of Fig. 1 . 
Fig. 20 is a flowchart of operation of another process executed by a customer of Fig. 1. 

DETAILED DESCRIPTION 
20 Fig. 1 is a block diagram of a system, indicated generally at 100 according to the 

illustrative embodiment. System 1 00 includes (a) electronic commerce ("e-commerce") 
providers 102 and 104 for executing respective e-commerce provider processes as discussed 
further hereinbelow in connection with Figs. 3 and 13-16, (b) individual customers 106 and 108 
for executing respective individual customer processes as discussed further hereinbelow in 
25 connection with Figs. 7, 9-12, 19 and 20, (c) entity customers 1 10 and 1 12 for executing 

respective entity customer process as discussed further hereinbelow in connection with Figs. 7, 
9-12, 19 and 20, and (d) security provider 120 for executing respective security provider 
processes as discussed further hereinbelow in connection with Figs. 4, 5, 17 and 18. Further, 
system 100 includes spoof servers 1 14 and 1 16, and a global computer network 118 (e.g., a 
30 Transport Control Protocol/Internet Protocol ("TCP/IP") network, such as the Internet), which 
are discussed further hereinbelow. 

Each of e-commerce providers 102 and 104, individual customers 106 and 108, entity 
customers 110 and 112, spoof servers 1 14 and 1 16, and security provider 120 includes a 
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respective network interface for communicating with network 118 (e.g., outputting information 
to, and receiving information from, network 118), such as by transferring information (e.g., 
instructions, data, signals) between such e-commerce provider, individual customer, entity 
customer, spoof server and network 118. Also, each of e-commerce providers 102 and 104, 
individual customers 106 and 108, entity customers 110 and 112, spoof servers 114 and 116, 
network 118, and security provider 120 is a computing system that includes at least one 
respective information handling system ("IHS") (e.g., computer) for executing respective 
processes and performing respective operations (e.g., processing and communicating 
information) in response thereto as discussed further hereinbelow. Each such computing system 
and IHS is formed by various electronic circuitry means. Moreover, as shown in Fig. 1, all such 
KS's are coupled to one another. Accordingly, e-commerce providers 102 and 104, individual 
customers 106 and 108, entity customers 1 10 and 1 12, spoof servers 1 14 and 1 16, and security 
provider 120 operate within the network 118. 

For clarity, Fig. 1 depicts only two e-commerce providers 102 and 104, although system 
100 may include additional e-commerce providers which are substantially identical to one 
another. Similarly for clarity, Fig. 1 depicts only two individual customers 106 and 108, 
although system 100 may include additional individual customers which are substantially 
identical to one another. Likewise, for clarity, Fig. 1 depicts only two entity customers 1 10 and 
112, although system 100 may include additional entity customers which are substantially 
identical to one another. Moreover, for clarity, Fig. 1 depicts only two spoof servers, although 
system 1 00 may include additional spoof servers which are substantially identical to one another. 
E-commerce provider 102 is a representative one of the e-commerce providers, individual 
customer 106 is a representative one of the individual customers, entity customer 1 10 is a 
representative one of the entity customers, and spoof server 1 14 is a representative one of the 
spoof servers. 

In system 100, any one or more of the e-commerce providers, customers, and/or security 
provider is equipped to determine whether a resource (e.g., a source or destination of 
information) is likely misrepresented as a trusted resource within the network 1 18, so that a user 
thereof is less likely to be deceived into relying on the misrepresented resource. For example, 
such deception may occur if a user selects (e.g., "clicks") on an embedded hyperlink to a web 
page, under a mistaken belief that the hyperlink will direct the user to a trusted web page, where 
instead the hyperlink actually directs the user to a misrepresented web page whose objective is to 
illegally, immorally or unethically deceive the user. Such a link is presentable (e.g., displayable) 
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to the user in an electronic message (e.g., an electronic mail ("e-mail") message or an instant 
"chat" message). Moreover, a source (e.g., e-mail address) of such electronic message may 
likewise be misrepresented as a trusted resource. 

A misrepresented web page may include features that simulate or mimic features of a 
trusted web page (e.g., by including the trusted web page's service mark, trademark, logo, layout 
and/or other elements). Such misrepresentation is a security risk. For example, the 
misrepresented web page may deceive a user into sharing confidential information (e.g., personal 
identification number ('TIN") or other password), sensitive information (e.g., social security 
number or other user identification), or financial information (e.g., credit card account 
information or bank account information), which compromises security. Such deception is a 
type of web page "spoofing." 

After a user is deceived into visiting a misrepresented web page (e.g., "spoof web page"), 
the user is potentially subject to various types of attacks. In one example, the misrepresented 
web page displays an information entry field, which is embedded in the misrepresented web 
page, and which asks the user to enter confidential, sensitive, or financial information. In 
response to such request, if the user enters and transmits such information via the information 
entry field (e.g., by clicking a button labeled "submit" ), the information is output to the 
misrepresented resource, and security is compromised. 

In another example, an electronic message includes (e.g., is embedded with) a mark-up 
language command (e.g., HyperText mark up language ("HTML") command or Extensible 
Markup Language ("XML") command). Similar to a misrepresented web page, an electronic 
message may be misrepresented as originating from a trusted source (e.g., eBay, Microsoft). 
After a user receives and opens the electronic message, the user is potentially subject to various 
types of attacks. In one example, the electronic message displays an information entry field, 
which is embedded in the electronic message, and which asks the user to enter confidential, 
sensitive, or financial information. In response to such request, if the user enters and transmits 
such information via the information entry field (e.g., by clicking a button labeled "submit"), the 
information is output to the misrepresented resource, and security is compromised. 

Fig. 2 is a block diagram of a representative one of the computing systems of e- 
commerce providers 102 and 104, individual customers 106 and 108, entity customers 110 and 
112, spoof servers 114 and 116, and security provider 120 of Fig. 1. Such representative 
computing system is indicated by dashed enclosure 200. Each of the computing systems of e- 
commerce providers 102 and 104, individual customers 106 and 108, entity customers 1 10 and 
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1 12, spoof servers 1 14 and 116, and security provider 120 operates in association with a 
respective human user. Accordingly, in the example of Fig. 2, computing system 200 operates in 
association with a human user 202, as discussed further hereinbelow. 

As shown in Fig. 2, computing system 200 includes (a) input devices 206 for receiving 
information from human user 202, (b) a display device 208 (e.g., a conventional electronic 
cathode ray tube ("CRT") device) for displaying information to user 202, (c) a computer 204 for 
executing and otherwise processing instructions, (d) a print device 210 (e.g., a conventional 
electronic printer or plotter), (e) a nonvolatile storage device 211 (e.g., a hard disk drive or other 
computer-readable medium (or apparatus), as discussed further hereinbelow) for storing 
information, (f) a computer-readable medium (or apparatus) 212 (e.g., a portable floppy diskette) 
for storing information, and (g) various other electronic circuitry for performing other operations 
of computing system 200. 

For example, computer 204 includes (a) a network interface (e.g., circuitry) for 
communicating between computer 204 and network 1 12 and (b) a memory device (e.g., random 
access memory ("RAM") device and read only memory ("ROM") device) for storing 
information (e.g., instructions executed by computer 204 and data operated upon by computer 
204 in response to such instructions). Accordingly, computer 204 is connected to network 1 12, 
input devices 206, display device 208, print device 210, storage device 21 1, and computer- 
readable medium 212, as shown in Fig. 2. Also, computer 204 includes internal speakers for 
outputting audio signals. In an alternative embodiment, the speakers are external to computer 
204. 

For example, in response to signals from computer 204, display device 208 displays 
visual images, and user 202 views such visual images. Moreover, user 202 operates input 
devices 206 in order to output information to computer 204, and computer 204 receives such 
information from input devices 206. Also, in response to signals from computer 204, print 
device 210 prints visual images on paper, and user 202 views such visual images. 

Input devices 206 include, for example, a conventional electronic keyboard and a 
pointing device such as a conventional electronic "mouse", rollerball or light pen. User 202 
operates the keyboard to output alphanumeric text information to computer 204, and computer 
204 receives such alphanumeric text information from the keyboard. User 202 operates the 
pointing device to output cursor-control information to computer 204, and computer 204 receives 
such cursor-control information from the pointing device. 

Fig. 3 is a block diagram of e-commerce provider 102. E-commerce provider 102 



5 



WO 2004/055632 



PCTAJS2003/039359 



performs e-commerce transactions (e.g., transactions of goods or services through network 118) 
with individual customers (e.g., individual customer 108) and entity customers (e.g., entity 
customer 1 10). E-commerce provider 102 includes an e-commerce provider administrator 302, 
which is a computing system for executing e-commerce provider administrator processes as 
discussed further hereinbelow in connection with Figs. 13-16. Human security analyst 306 is a 
user of e-commerce provider administrator 302, similar to the manner in which human user 202 
operates in association with computing system 200. E-commerce provider administrator 302 
further operates in association with a database 304, which is stored within a hard disk of e- 
commerce provider administrator 302. 

Within database 304, e-commerce provider administrator 302 stores results of various 
analyses performed by and received from security provider administrator 402 (discussed further 
hereinbelow in connection with Fig. 4). Database 304 is organized to include various addresses 
(e.g., Internet addresses) of web pages and analyses thereof. For example, such analyses include 
designations of whether such web pages (e.g., as represented by such addresses) are trusted 
resources, mistrusted resources, or neither (e.g., neutral). 

Moreover, as shown in Fig. 3, e-commerce provider administrator 302 includes 
respective network interfaces for communicating with network 1 18 on behalf of e-commerce 
provider 102. Such communication includes outputting information to (and receiving 
information from) individual customers (e.g., individual customer 106) and entity customers 
(e.g., entity customer 110). Also, such communication with network 118 also includes 
outputting information to (and receiving information from) security provider 120. 

Fig. 4 is a block diagram of security provider 120. Security provider 120 includes 
security provider administrator 402, which is a computing system for executing security provider 
administrator processes as discussed further hereinbelow in connection with Figs. 5, 17 and 18. 
Human system manager 406 is a user of security provider administrator 402, similar to the 
manner in which human user 202 operates in association with computing system 200. 

Also as shown in Fig. 4, in the illustrative embodiment, security provider administrator 
402 includes respective network interfaces for communicating with network 1 18 on behalf of 
security provider 120. Such communication includes outputting information to (and receiving 
information from) e-commerce providers (e.g., e-commerce provider 102), individual customers 
(e.g., individual customer 106), and entity customers (e.g., entity customer 1 10). 

Moreover, security provider 120 includes a web-crawler 404, which is a computing 
system for executing a web-crawling process as discussed hereinbelow. Web-crawler 404 is 
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coupled to security provider administrator 402 via a connection for communicating with security 
provider administrator 402. Also, as shown in Fig. 4, web-crawler 404 includes a respective 
network interface for communicating with network 118, such as by transferring information 
between web-crawler 404 and network 118. 
5 From security provider administrator 402, web-crawler 404 receives an Internet address 

associated with a web page from which to begin a search operation. Web-crawler 404 
automatically retrieves a web page from such Internet address and searches the web page for 
other Internet addresses that are listed therein. Web-crawler 404 automatically retrieves the web 
pages associated with such other Internet addresses and likewise continues searching those web 

10 pages for other Internet addresses that are listed therein. Web-crawler 404 continues operating in 
this manner until it determines that a halting condition has occurred. For example, the halting 
condition includes a specified one or more of the following: reaching a maximum word limit, or 
reaching a maximum document limit. To security provider administrator 402, web crawler 404 
outputs the Internet addresses that it identifies during the process. 

15 Fig. 5 is a conceptual illustration of various processes executed by security provider 

administrator 402, which are discussed in more detail herein. As shown in Fig. 5, security 
provider administrator 402 executes an analysis process 502 (discussed further hereinbelow in 
connection with Fig. 17) and an update/notification process 504 (discussed further hereinbelow 
in connection with Fig. 1 8). Such processes perform their respective operations in response to 

20 information stored in a mistrusted web pages database 506 and a trusted web pages database 508. 

Mistrusted web pages database 506 and trusted web pages database 508 are stored within 
a hard disk of security provider administrator 402. Within mistrusted web pages database 506 
and trusted web pages database 508, security provider administrator 402 stores records of 
operations performed by security provider administrator 120, including records of analyses 

25 performed by analysis process 502. Mistrusted web pages database 506 includes a list of 

Internet addresses that are associated with respective web pages (e.g., "spoof web pages") known 
to be misrepresented as trusted web pages. Conversely, organization of trusted web pages 
database 508 includes a list of Internet addresses that are associated with respective web pages 
known to be trusted. 

30 In the illustrative embodiment, a human system manager (e.g., human system manager 

406) initially populates trusted web pages database 508. In an alternative embodiment, a 
computing system (e.g., security provider administrator 402) executes a process (e.g., a "spider") 
to initially populate trusted web pages database 508. In such an alternative embodiment, the 
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computing system automatically retrieves various web pages, and it stores (in trusted web pages 
database 508) the Internet address of web pages that satisfy predetermined criteria indicating that 
such web pages are trusted. 

Analysis process 502 analyzes information received by security provider administrator 
5 120 from web-crawler 404 and from network 118. Also, analysis process 502 outputs suitable 
information to update/notification process 504. 

Update/notification process 504 performs other operations of security provider 
administrator 120, including communication of information (a) between human system manager 
406 and network 118 and (b) via network 1 1 8, to customers (e.g., customers 106 and 1 10) and e- 
10 commerce providers (e.g., e-commerce provider 102) regarding analyses of electronic messages 
and web pages retrieved from network 118. 

Fig. 6 is a block diagram of individual customer 106. Individual customer 106 includes a 
client 602 for executing client processes as discussed further hereinbelow in connection with 
Figs. 7, 9-12, 19 and 20. Human user 604 is a user of client 602, similar to the manner in which 
15 human user 202 operates in association with computing system 200. Moreover, client 602 
includes a network interface for communicating with network 118. 

Fig. 7 is a conceptual illustration of various processes executed by representative clients 
602 and 804. In the operation of Fig. 7, client 602 is a representative one of clients 602 and 804. 
The processes executed by client 602 are discussed in more detail elsewhere herein. 
20 As shown in Fig. 7, client 602 executes an operating system 702, a web browser 704, and 

a plug-in indicated by dashed enclosure 706. Also, plug-in 706 includes a detection process 
indicated by dashed enclosure 708, an update process 712, and a user notification/report process 
714 (discussed in more detail hereinbelow in connection with Fig. 20). Detection process 708 
includes an analysis process 710 (discussed in more detail hereinbelow in connection with Fig. 
25 19), which writes information to mistrusted web pages database 716 and trusted web pages 

database 718 for storage therein, and which operates in response thereto. Databases 716 and 718 
are stored within a hard disk of client 602. 

Operating system 702 is a Microsoft Windows operating system or, alternatively, any 
other suitable operating system software, which performs conventional operating system 
30 operations. Operating system 702 communicates between web browser 704 and various 
elements of client 602. 

Web browser 704 is a Microsoft Internet Explorer browser or, alternatively, any other 
suitable web browser software, which performs conventional web browser operations. Web 
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browser 704 outputs information to analysis process 710 directly, and indirectly via update 
process 712. Also, web browser 704 receives information from analysis process 710 via user 
notification/report process 714. 

Fig. 8 is a block diagram of entity customer 110. Entity customer 110 includes clients 
5 804, 806, and 808, each for executing respective client processes as discussed hereinabove in 
connection with Fig. 7, and each includes a respective network interface for communicating with 
network 118. For clarity, Fig. 8 shows a connection between client 804 and network 118, but 
clients 806 and 808 are likewise connected to network 118 

Human users 810, 812, and 814 are respective users of clients 804, 806, and 808, similar 
10 to the manner in which computing system 200 operates in association with user 202. Further, 
entity customer 1 10 includes an entity customer administrator 802, which is a computing system 
for executing entity customer administrator processes as discussed elsewhere herein. Human 
system manager 816 is a user of entity customer administrator 802. 

Moreover, entity customer administrator 802 includes a network interface for 
15 communicating with network 1 18. As shown in Fig. 8, entity customer administrator 802 is 
coupled to each of clients 804, 806, and 808, and they communicate information between one 
another. 

In the discussion hereinbelow, client 804 is a representative one of clients 804, 806, and 
808. Although Fig. 8 shows only three clients (i.e., clients 804, 806, and 808), it should be 

20 understood that other clients (substantially identical to clients 804, 806, and 808), are likewise 
coupled to entity customer administrator 802. Each of such other clients operates in association 
with a respective human user, similar to the manner in which client 804 operates with user 810. 
In an alternative embodiment, one or more of clients 804, 806, and 808 perform the operation of 
entity customer administrator 802. 

25 Fig. 9 is an illustration of a visual image (e.g., "screen"), indicated generally at 900, 

displayed by a display device (e.g., display device 208) of a client (e.g., client 602) of an 
individual customer (e.g., individual customer 106) or a client (e.g., client 804) of an entity 
customer (e.g., entity customer 1 10). Screen 900 is an example screen of a "spoof 5 web page 
resource that is misrepresented as a trusted web page resource within a global computer network. 

JO The "spoof web page is output by a spoof server (e.g., spoof server 1 14). 

Screen 900 includes a set of information entry fields ("fields") indicated generally at 902. 
As shown in Fig. 9, fields 902 are regions of screen 900 in which a client's user is asked to 
specify alphanumeric character information. More particularly, in fields 902, the client's user is 
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asked to specify the following information as shown in Fig. 9: first name, last name, address 1, 
address 2, city, state, zip, country, home telephone, work telephone, e-mail address, PayPal 
password, credit cardholder's name, credit card number, credit card expiration date, credit 
cardholder's zip/postal code, credit card security code, social security number, date of birth, 
mother's maiden name, credit card issuing bank, ABA number, account type, routing number, 
account pin, and account number. 

Screen 900 includes a Sign Up "button" 904, which is a region of screen 900. Button 904 
is selectable (e.g., "clickable") by the client's user and is associated with an Internet address of a 
spoof server (e.g., spoof server 1 14). In response to the client's user clicking button 904, the 
client's computer outputs information (specified in fields 902 by the client's user) to such 
addressed spoof server (e.g., spoof server 114) through network 1 18, and security is 
compromised 

Screen 900 is an example screen of a web page resource that is misrepresented by its 
content (e.g., information entry fields 902) as a trusted web page resource. In another example, a 
web page resource is misrepresented by an address in a different web page or in an electronic 
message (e.g., Internet hyperlink embedded in the different web page or in the electronic 
message), where the address's wording appears linked to a trusted web page resource, but 
instead the address is actually linked to a misrepresented web page resource. 

Fig. 10 is an illustration of another screen, indicated generally at 1000, displayed by the 
client's display device. Screen 1000 shows an electronic message, which includes content that 
misrepresents a web page resource as a trusted web page resource. Examples of an electronic 
message include electronic mail ("e-mail") messages and instant messages (e.g., "chat" 
messages). 

In Fig. 10, the web page resource is misrepresented by: (a) a source address 1002 (e.g., 
return message address, such as "supportusers@eBay.com") in the header of the electronic 
message, where the address's wording appears linked to a trusted electronic message resource, 
but instead the address is actually linked to a misrepresented electronic message resource 
associated with a spoof server (e.g., spoof server 1 14) that is not approved by eBay.com; and/or 
(b) an address (e.g., Internet hyperlink) 1004 in the body of the electronic message, where the 
address's wording appears linked to a trusted web page resource, but instead the address is 
actually linked to a misrepresented web page resource that is not approved by eBay.com. 

In response to the client's user "clicking" address 1004, (a) the client's computer outputs 
such address to network 118, (b) the address's linked spoof server outputs signals (e.g., HTML 
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commands or XML commands) to the client's computer, and (c) the client's display device 
displays a screen (e.g., screen 900) of a spoof web page. 

Fig. 1 1 a and 1 lb are illustrations of a screen generally indicated at 1 1 00, displayed by the 
client's display device. Screen 1 100 shows an electronic message, which includes content that 

5 misrepresents a web page resource as a trusted web page resource. Fig. 11a depicts a first part of 
screen 1 1 00, and Fig. 1 lb depicts a second part of screen 1 100. Screen 1 100 is an example of an 
e-mail message that includes markup language (e.g., HTML or XML) commands. The client's 
computing system processes the markup language commands and displays a screen according to 
such commands (e.g., screen 1100 of Figs. 11a and lib). 

10 For example, screen 1 100 includes information entry fields 1 104. Similar to fields 902 of 

screen 900 (described hereinabove in connection with Fig. 9), fields 1104 are regions of screen 
1 100 in which the client's user is asked to specify alphanumeric character information. More 
particularly, in fields 1 104, the client's user is asked to specify the following information as 
shown in Fig. 11a: (a) eBay user ID, (b) eBay password, (c) PayPal password, (d) e-mail address, 

15 (e) credit card/debit card number, (f) credit card/debit card expiration date, (g) credit card/debit 
card type, (h) credit card/debit card bank name, (i) credit card/debit card PIN number, and (j) 
credit card/debit card CW code. Moreover, the client's user is asked to specify additional 
information in fields 1 104 as shown in Fig. 1 lb, namely: (a) credit card/debit card account 
owner, (b) country of account, (c) bank name, (d) bank routing number, (e) checking account 

20 number, (f) social security number, (g) mother's maiden name, (h) date of birth, (i) driver's 
license number, and (j) state of driver's license issue. 

In screen 1 1 00, the web page resource is misrepresented by: (a) a source address 1 1 02 
(e.g., return message address, such as "aw-confirm@ebay.com") in the header of the electronic 
message, where the address's wording appears linked to a trusted electronic message resource, 

25 but instead the address is actually linked to a misrepresented electronic message resource 

associated with a spoof server (e.g., spoof server 1 1 4) that is not approved by eBay.com; and/or 
(b) wording and layout of the information entry fields 1 104 in the body of the electronic 
message, where such wording and layout appear linked to a trusted web page resource, but 
instead the information entry fields 1 104 are actually linked to a misrepresented web page 

30 resource that is not approved by eBay.com. 

Screen 1 100 includes a Submit button 1 106, which is a region of screen 1 1 00. Similar to 
button 904 (discussed hereinabove in connection with Fig. 9) of screen 900, button 1 106 is 
selectable by the client' s user and is associated with an Internet address of a spoof server (e.g., 
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spoof server 1 14). In response to the client's user clicking button 1 106, the client's computer 
outputs information (specified in fields 1 104 by the client's user) to such addressed spoof server 
(e.g., spoof server 114) through network 118, and security is compromised. 

Fig. 12 is an illustration of a screen indicated generally at 1200, displayed by the client's 
5 display device. Likewise, Figs. 13 and 14 are illustrations of screens indicated generally at 1300, 
displayed by a display device of an e-commerce provider administrator (e.g., e-commerce 
provider administrator 302). Figs. 12, 13, and 14 are discussed in more detail hereinbelow. 

Fig. 15 is a flowchart of operation of a process executed by e-commerce provider 
administrator 302. The operation begins at a step 1502, where e-commerce provider 
10 administrator 302 determines whether it has received an electronic message for requested 
analysis (e.g., from individual customers or entity customers via network 1 18). 

In the illustrative embodiment, e-commerce provider administrator 302 receives such an 
electronic message in response to a customer (e.g., individual customer 106 or entity customer 
110) outputting the electronic message to e-commerce provider 102. Such an electronic message 
15 is output by such a customer in response to the customer's receiving the electronic message 
through network 118 and suspecting that the electronic message misrepresents a resource as a 
trusted resource (e.g., a web page). 

At step 1502, if e-commerce provider administrator 302 determines that it has received 
an electronic message for analysis, the operation continues to a step 1504. At step 1504, e~ 
20 commerce provider administrator 302 outputs the electronic message to security provider 120 
through network 1 18 for analysis. After step 1504, the operation returns to step 1502. 

Conversely, if e-commerce provider administrator 302 determines at step 1502 that it has 
not received an electronic message for analysis, the operation continues to a step 1506, where e- 
commerce provider administrator 302 determines whether it has received an Internet address for 
25 requested analysis (e.g., from individual customers or entity customers via network 118). E- 

commerce provider administrator 302 receives such an Internet address in response to a customer 
(e.g., individual customer 106 or entity customer 110) outputting the Internet address to e- 
commerce provider 102. Such an Internet address is output by such a customer in response to 
the customer's suspecting that the Internet address misrepresents a web page resource as a 
30 trusted web page resource. 

At step 1506, if e-commerce provider administrator 302 determines that it has received 
an Internet address for analysis, the operation continues to a step 1508. At step 1508, e- 
commerce provider administrator 302 outputs the Internet address to security provider 120 
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through network 118 for analysis. After step 1508, the operation returns to step 1502. 
Conversely, if e-commerce provider administrator 302 determines at step 1506 that it has not 
received an Internet address for analysis, the operation returns to step 1502. 

Fig. 16 is a flowchart of operation of another process of e-commerce provider 
5 administrator 302. The operation begins at a step 1602, where e-commerce provider 

administrator 302 determines whether it has received an analysis from security provider 120 
through network 1 18. In response to e-commerce provider administrator 302 determining that it 
has received such an analysis, the operation continues to a step 1604. 

At step 1604, e-commerce provider administrator 302 outputs the analysis to an 
1 0 individual customer or an entity customer through network 118 (e.g., the individual customer or 
entity customer from which e-commerce provider administrator 302 received the request for 
analysis). After step 1604, the operation continues to a step 1606, where e-commerce provider 
administrator 302 stores the analysis in its local database 304. After step 1606, the operation 
returns to step 1602. 

15 At step 1602, if e-commerce provider administrator 302 determines that it has not 

received an analysis from security provider 120 through network 1 1 8, the operation continues to 
a step 1608. At step 1608, e-commerce provider administrator 302 determines whether it has 
received a request to display an analysis that is stored in database 304. 

In response to e-commerce provider administrator 302 determining that such a request 

20 has been received, the operation continues to a step 1610. At step 1610, e-commerce provider 
administrator 302 reads the analysis from database 304. After step 1610, the operation continues 
to a step 1612, where e-commerce provider administrator 302 outputs the analysis to its display 
device for display to human security analyst 306 (e.g., which views the displayed analysis, such 
as screen 1300 of Fig. 13). After step 1612, the operation returns to step 1602. 

25 Referring again to step 1608, if e-commerce provider administrator 302 determines that it has not 
received a request to display an analysis that is stored in database 304, the operation continues to 
a step 1614. At step 1614, e-commerce provider administrator 302 determines whether it has 
received a request to display an analysis that is stored remotely in either the mistrusted web 
pages database 506 or the trusted web pages database 508. If so, the operation continues to a 

30 step 1616, where e-commerce provider administrator 302 reads the stored analysis from a 
suitable one of databases 506 and 508. 

After step 1616, the operation continues to step 1612, where e-commerce provider 
administrator 302 outputs the analysis to its display device for display to human security analyst 
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306 (e.g., which views the displayed analysis, such as screen 1300 of Fig. 13). Conversely, at 
step 1614, if e-commerce provider administrator 302 determines that it has not received a request 
to display an analysis that is stored remotely in either database 506 or 508, the operation returns 
to step 1602. 

5 As shown in Fig. 13, screen 1300 includes a set of links, indicated generally at 1302, 

which are regions of screen 1300 that are respectively selectable by the human security analyst 
306 for causing the e-commerce provider administrator 302 to output various aspects of the 
analysis to the display device for viewing by the human security analyst 306. As shown in FIG 
13, the set of links 1302 includes links that are respectively selectable by the human security 

10 analyst 306 to (a) manage alerts, (b) manage reports, (c) manage a black list (e.g., known 
mistrusted web pages database 506), (d) manage a white list (e.g., known trusted web pages 
database 508), (e) manage rules, (f) manage filters, and (g) manage users. 

In the example of Fig. 13, screen 1300 is output by e-commerce provider administrator 
302 in response to human security analyst 306 clicking link 1302 to view and manage the known 

15 mistrusted web pages database 506. By comparison, in the example of Fig. 14, screen 1300 is 
output by e-commerce provider administrator 302 in response to human security analyst 306 
clicking link 1302 to view and manage reports. As shown in Figs. 13 and 14, screen 1300 also 
includes a tool bar 1304, which is substantially identical to a tool bar 1202 of Fig. 12. 
Fig. 17 is a flowchart of operation of analysis process 502 of security provider 

20 administrator 402. At a step 1702, security provider administrator 402 determines whether it has 
received an electronic message (e.g., as illustrated by screen 1000 of Fig. 10) for requested 
analysis (e.g., from an e-commerce provider, an individual customer, or an entity customer via 
network 118). If so, the operation continues to a step 1704. 

At step 1704, security provider administrator 402 parses the electronic message's content 

25 for an Internet address (e.g., an Internet address associated with link 1004 of screen 1000). 
Moreover, at step 1704, security provider administrator 402 performs an analysis of the 
electronic message to determine whether the electronic message likely misrepresents the Internet 
address as representing a trusted web page. Security provider administrator 402 performs such 
analysis by analyzing the electronic message's content and header. In analyzing the electronic 

30 message's content, security provider administrator 402 detects an extent to which the content 
implements specified techniques for deceiving a user. In analyzing the electronic message's 
header, security provider administrator 402 detects an extent to which the header implements 
specified techniques for misrepresenting or concealing an actual source (e.g., source address) of 
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the electronic message. After step 1704, the operation continues to a step 1708. In an alternative 
embodiment: (a) if security provider administrator 402 determines that the electronic message 
likely misrepresents the Internet address, the operation continues to step 1708; or (b) instead, if 
security provider administrator 402 determines otherwise, the operation returns to step 1702. 
5 Referring again to step 1 702, if security provider administrator 402 determines that it has 

not received an electronic message for requested analysis, the operation continues to a step 1706. 
At step 1706, security provider administrator 402 determines whether it has received an Internet 
address for requested analysis (e.g., from an e-commerce provider, an individual customer, or an 
entity customer via network 1 18, or from web-crawler 404). If not, the operation returns to step 

10 1702. Conversely, if security provider administrator 402 determines that it has received an 
Internet address for requested analysis, the operation continues to step 1708. 

At step 1708, security provider administrator 402 determines whether the Internet address 
is stored in trusted web pages database 508. If so, such determination indicates that the Internet 
address represents a trusted web page (and not a spoof web page). In that situation, the operation 

15 continues to a step 1710, where security provider administrator 402 outputs (to 

update/notification process 504) an analysis indicating that the Internet address represents a 
trusted web page. After step 1710, the operation returns to step 1702. 

Conversely, if security provider administrator 402 determines at step 1708 that the 
Internet address is not stored in trusted web pages database 508, such determination indicates 

20 that further analysis is warranted. In that situation, the operation continues to a step 1712. 

At step 1712, security provider administrator 402 determines whether the Internet address 
is stored in mistrusted web pages database 506. If so, such determination indicates that the 
Internet address represents a mistrusted ("spoof) web page (e.g., screen 900 of Fig. 9). In that 
situation, the operation continues to a step 1724. At step 1724, security provider administrator 

25 402 outputs (to update/notification process 504) an analysis indicating that the Internet address 
represents a mistrusted "spoof web page. After step 1724, the operation returns to step 1702. 

Conversely, if security provider administrator 402 determines at step 1712 that the 
Internet address is not stored in the mistrusted web pages database 506, such determination 
indicates that further analysis is warranted. In that situation, the operation continues to a step 

30 1714. 

At step 1714, security provider administrator 402 performs one or more of the following 
analyses: an Internet address analysis, a content analysis, a layout analysis, a site analysis, and a 
reaction analysis. Each of these analyses is discussed in more detail hereinbelow. 
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The Internet address analysis determines whether a potential spoof web page is likely 
misrepresented by analyzing the web page's Internet address information (e.g., Uniform 
Resource Locator ("URL")). More specifically, the Internet address analysis determines a 
likelihood that the web page (associated with a particular URL) is a spoof web page by detecting 
5 an extent to which the web page's URL implements techniques for deceiving a user. For 

example, a spoof web page's URL often includes a widely known trusted URL or a part of such 
a URL, followed by a lengthy and complicated series of characters. The lengthy and 
complicated series of characters have an objective of concealing the actual URL, which is 
associated with the spoof web page. The following hypothetical example URL is associated with 
10 a spoof web page: 

http://www.wholesecuritv.com%201ong%20comT3hcated%20@www.spoofsite.com 

A user may be deceived into perceiving that such URL is associated with 

15 "www.wholesecurity.com." However, in this example, such URL's substantive web page- 
identifying portion is www.spoofsite.com, which follows the "@" symbol. Accordingly, such 
URL is actually associated with "www.spoofsite.com" instead of "www.wholesecurity.com." 

The content analysis determines whether a potential spoof web page is likely 
misrepresented by analyzing the web page's content. More specifically, the content analysis 

20 determines a likelihood that the web page (associated with a particular URL) is a spoof web page 
by detecting an extent to which the web page's content implements techniques for deceiving a 
user. For example, a spoof web page's content often includes (a) content for deceiving a user to 
believe that the user is viewing a trusted web page, and (b) content for performing operations 
which harm the user (e.g., by obtaining the user's confidential, sensitive and/or financial 

25 information via information entry fields). 

Accordingly, in response to determining that the web page's content includes a 
predetermined content, the content analysis determines that the web page is likely 
misrepresented as a trusted web page. For example, the content analysis detects: (a) whether the 
title or body of the web page's markup language content (e.g., HTML or XML content) includes 

30 a trusted web page's logo or name; and (b) whether the web page includes a form (e.g., including 
an information entry field) that ask a user to enter confidential, sensitive and/or financial 
information (e.g., the user's credit card account information or the user's bank account 
information). 
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The layout analysis determines whether a potential spoof web page is likely 
misrepresented by analyzing the web page's layout (e.g., organization of content) to determine 
whether the web page simulates or mimics a layout feature of a trusted web page. Accordingly, 
the layout analysis compares the potential spoof web page's layout to one or more layouts of one 
5 or more known mistrusted (e.g., spoof) web pages, so that the layout analysis determines 

whether the potential spoof web page's layout is similar to a layout of a known mistrusted web 
page. Such analysis is configurable to detect whether the potential spoof web page's layout is 
similar to the layout of the known mistrusted web page in any of the following ways, according 
to a specified preference of a security provider, e-commerce provider, or customer: (a) 

10 substantially similar, (b) substantially identical, and/or (c) exactly identical. Likewise, the layout 
analysis compares a potential spoof web page's layout to one or more layouts of one or more 
web pages that are known targets of web page spoofing (e.g., a web page of a known trusted e- 
commerce provider), so that the analysis determines whether the potential spoof web page's 
layout is similar to a layout of a known trusted web page. 

15 A website includes one or more web pages. In comparison to a trusted website, a spoof 

website has: (a) a relatively young age; (b) relatively smaller size (e.g., relatively few hyperlinks 
to other web pages of the spoof website); and (c) and relatively few hyperlinks to it by known 
trusted web page resources, and vice versa. Also, unlike a trusted website, in an effort to avoid 
detection, operators of spoof websites frequently change the server (e.g., spoof server 1 14) on 

20 which the spoof website is hosted. Moreover, a spoof website is more likely to include 

hyperlinks to specified types of web pages that are infrequently hyperlinked by trusted websites. 

Accordingly, the site analysis determines whether a potential spoof web page is likely 
misrepresented by analyzing information associated with the web page's website, so that such 
information is compared with known trusted websites. In at least one embodiment, such 

25 information includes: (a) an age (e.g., length of time of activity) of the potential spoof web 
page's website; (b) a size (e.g., a number of web pages) of the potential spoof web page's 
website; (c) a number of hyperlinks to the potential spoof web page's website by known trusted 
web pages, and vice versa; (d) a length of time (e.g., duration) that the potential spoof web 
page's website has been hosted by the website's server; and (e) whether the potential spoof web 

30 page's website includes hyperlinks to specified types of web pages that are infrequently 
hyperlinked by trusted websites. 

The reaction analysis determines whether a potential spoof web page is likely 
misrepresented as a trusted resource by outputting a signal to a computing system (e.g., spoof 
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server 1 14) that hosts the web page and analyzing the computing system's response (e.g., 
reaction) thereto. For example, the signals include information requested by information entry 
fields embedded in the web page. A spoof web page's response (from its associated spoof server 
that hosts the spoof web page) is frequently different from a similar trusted web page's response 
5 (from its associated trusted server that hosts the trusted web page). Accordingly, the reaction 
analysis compares the potential spoof web page's response to the similar trusted web page's 
response. 

After step 1714, the operation continues to a step 1716, where security pro vider 
administrator 402 determines (e.g., generates) a score indicating a likelihood that the Internet 
10 address represents a spoof web page, in response to the analyses performed at steps 1704 and 
1714. 

In at least one embodiment, in response to each of analyses performed at steps 1704 and 
1714, security provider administrator 402 outputs a respective indication of whether the web 
page is likely misrepresented as a trusted web page. Accordingly, at step 1716, security provider 

1 5 administrator 402 generates a score in response to a scoring algorithm, which weighs each of the 
respective indications from each of the analyses performed at steps 1704 and 1714. After step 
1716, the operation continues to a step 1718. 

At step 1718, security provider administrator 402 determines whether the score generated 
at 1716 exceeds a first threshold value. If so, the score indicates that the web page associated 

20 with the Internet address is likely a mistrusted web page. If security provider administrator 402 
determines that the score exceeds the first threshold value, the operation continues to step 1724. 

At step 1 724, security provider administrator 402 outputs (to update/notification process 
504) an analysis indicating that the Internet address likely represents a mistrusted web page. 
After step 1724, the operation returns to step 1702. 

25 Referring again to step 1 71 8, if security provider administrator 402 determines that the 

score does not exceed the first threshold value, the operation continues to a step 1 720. At step 
1720, security provider administrator 402 determines whether the score is less than a second 
threshold value. If so, the score indicates that the web page associated with the Internet address 
is likely a trusted web page. If security provider administrator 402 determines that the score is 

30 less than the second threshold value, the operation continues to step 1710. In the illustrative 

embodiment, the first threshold value is higher than the second threshold value. In an alternative 
embodiment, the first threshold value is equal to the second threshold value. 
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At step 1710, security pro vider administrator 402 outputs (to update/notification process 504) an 
analysis indicating that the Internet address likely represents a trusted web page. After step 
1710, the operation returns to step 1702. 

Referring again to step 1720, if security provider administrator 402 determines that the 
5 score is not less than the second threshold value, the score indicates that the web page associated 
with the Internet address is inconclusively either a trusted web page or a mistrusted web page. 
Accordingly, the Internet address represents a neutral web page, and the operation continues to a 
step 1722. 

At step 1722, security provider administrator 402 outputs (to update/notification process 
10 504) an analysis indicating that the Internet address represents a neutral web page. After step 
1722, the operation returns to step 1702. 

Fig. 18 is a flowchart of operation of update/notification process 504 executed by 
security provider administrator 402. At a step 1802, the operation self-loops until security 
provider administrator 402 determines that it has received an analysis from analysis process 502. 
15 In response to security provider administrator 402 determining that it has received an analysis 
from analysis process 502, the operation continues to a step 1804. 

At step 1 804, security provider administrator 402 determines whether the received 
analysis indicates that the Internet address (associated with the analysis) represents a mistrusted 
web page. If so, the operation continues to a step 1806, where security pro vider administrator 
20 402 determines whether it is specified to output the analysis to human system manager 406 for 
further analysis. If so, the operation continues to a step 1808. 

At step 1 808, security provider administrator 402 outputs the analysis to human system 
manager 406 for further analysis. After step 1808, the operation continues to a step 1820, where 
security provider administrator 402 outputs the analysis to an e-commerce provider (e.g., e- 
25 commerce provider 102). After step 1820, the operation returns to step 1802. 

Referring again to step 1806, if security provider administrator 402 is not specified to 
output the analysis to human system manager 406 for further analysis, the operation continues to 
a step 1810. At step 1810, security provider administrator 402 writes the Internet address 
(associated with the analysis) for storage in mistrusted web pages database 506. After step 1810, 
30 the operation continues to step 1820. 

Referring again to step 1804, if the received analysis indicates that the Internet address 
(associated with the analysis) does not represent a mistrusted web page, the operation continues 
to a step 1812. At step 1812, the security provider administrator 402 determines whether the 
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received analysis indicates that the Internet address (associated with the analysis) represents a 
trusted web page. If so, the operation continues to a step 1814. 

At step 1814, security provider administrator 402 determines whether it is specified to 
output the analysis to human system manager 406 for further analysis. If so, the operation 
5 continues to a step 1816, where security provider administrator 402 outputs the analysis to 
human system manager 406 for further analysis. After step 1808, the operation continues to a 
step 1820. 

Conversely, if security provider administrator 402 determines at step 1814 that it is not 
specified to output the analysis to human system manager 406 for further analysis, the operation 

10 continues to a step 1818. At step 1818, security provider administrator 402 writes the Internet 
address (associated with the analysis) for storage in trusted web pages database 508. After step 
1818, the operation continues to step 1820. 

Referring again to Fig. 7, plug-in 706 is plug-in software, which representative clients 
602 and 804 execute in conjunction with web browser software (e.g., web browser 704). Plug-in 

15 706 is an Internet Explorer Plug-in, or alternatively another type of plug-in. In the illustrative 
embodiment, each of representative clients 602 and 804 stores (within their hard disks in 
configuration files or as cookies, or within their memories as in-memory databases) a copy of 
mistrusted web pages database 716 and trusted web pages database 718. 

In the illustrative embodiment, client 602 downloads (e.g., receives) and stores its copy 

20 of plug-in 706 from a trusted source (e.g., security provider 120 or e-commerce provider 102) 
through network 118. Such copy of plug-in 706 is executed by client 602. 

Moreover, in response to its execution of update process 712, client 602 updates its copy 
of detection process 708, analysis process 710, mistrusted web pages database 716, and trusted 
web pages database 718. While executing update process 712, client 602 determines whether its 

25 copy of detection process 708 is up-to-date. If so, client 602 continues with normal operation. 
Conversely, if client 602 determines that its copy of detection process 708 is not up-to-date, 
client 602 downloads and stores an up-to-date version of detection process 708 from a trusted 
source (e.g., security provider 120 or e-commerce provider 102). 

In response to its execution of update process 712, entity customer administrator 802: (a) 

30 downloads and stores its copy of plug-in 706 from a trusted source (e.g., security provider 120 or 
e-commerce provider 102) through network 118, similar to the manner in which client 602 
downloads its copy; (b) updates its copy of detection process 708, analysis process 710, 
mistrusted web pages database 716, and trusted web pages database 718, similar to the manner in 
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which client 602 updates its copy; and (c) outputs them to its connected clients (e.g., client 804) 
while executing its copy of update process 712. 

Fig. 19 is a flowchart of operation of analysis process 710, which is executed by 
representative clients 602 and 804. In the following discussion, client 602 is a representative one 
5 of clients 602 and 804. After a user (e.g., human user 604) enters an Internet address in web 
browser 704, client 602 outputs the Internet address for analysis to analysis process 710. 

As shown in Fig. 19, operation begins at a step 1902. At step 1902, the operation self- 
loops until client 602 determines that it has received an Internet address for analysis. In response 
to client 602 determining that it has received an Internet address for analysis, the operation 

10 continues to a step 1904. 

At step 1904, client 602 determines whether the Internet address is stored in trusted web 
pages database 718. If client 602 determines that the Internet address is stored in database 718, 
such determination indicates that the Internet address represents a trusted web page (and not a 
spoof web page). Accordingly, the operation continues to a step 1906, where client 602 outputs 

15 (to user notification/report process 714) an analysis indicating that the Internet address represents 
a trusted web page. After step 1906, the operation returns to step 1902. 

Referring again to step 1904, if client 602 determines that the Internet address is not 
stored in trusted web pages database 718, such determination indicates that further analysis by 
client 602 is warranted. Accordingly, the operation continues to a step 1908. 

20 At step 1908, client 602 determines whether the Internet address is stored in mistrusted 

web pages database 716. If client 602 determines that the Internet address is stored in mistrusted 
web pages database 716, such determination indicates that the Internet address represents a 
mistrusted web page (e.g., as illustrated by screen 900). Accordingly, the operation continues to 
a step 1920, where client 602 outputs (to user notification/report process 714) an analysis 

25 indicating that the Internet address represents a mistrusted web page. After step 1920, the 
operation returns to step 1902. 

Referring again to step 1908, if client 602 determines that the Internet address is not 
stored in the mistrusted web pages database 716, such determination indicates that further 
analysis by client 602 is warranted. Accordingly, the operation continues to a step 1910. 

30 At step 1910, client 602 performs one or more analyses, including one or more of: an 

Internet address analysis, a content analysis, a layout analysis, a site analysis, and a reaction 
analysis. Each of above analyses is discussed further hereinabove in connection with Fig. 17. 
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After step 1910, the operation continues to a step 1912, where client 602 generates a score 
indicating a likelihood that the Internet address represents a mistrusted web page, in response to 
the analyses performed at step 1910. 

In at least one embodiment, in response to each of analyses performed at step 1910, client 
5 602 outputs a respective indication of whether the Internet address likely represents a mistrusted 
web page. Accordingly, at step 1912, client 602 generates a score in response to a scoring 
algorithm, which weighs the each of the respective indications from each of the analyses 
performed at step 1910. After step 1912, the operation continues to a step 1914. 

At step 1914, client 602 determines whether the score generated at 1912 exceeds a first 
10 threshold value. If so, the score indicates that the web page associated with the Internet address 
is likely a mistrusted web page. If client 602 determines that the score exceeds the first threshold 
value, the operation continues to step 1920. 

At step 1920, client 602 outputs (to user notification/report process 714) an analysis 
indicating that the Internet address represents a mistrusted web page. After step 1920, the 
15 operation returns to step 1902. 

Referring again to step 1914, if client 602 determines that the score does not exceed the 
first threshold value, the operation continues to a step 1916. At step 1916, client 602 determines 
whether the score is less than a second threshold value. If so, the score indicates that the web 
page associated with the Internet address is likely a trusted web page. If client 602 determines 
20 that the score is less than the second threshold value, the operation continues to step 1906. In the 
illustrative embodiment, the first threshold value is higher than the second threshold value. In an 
alternative embodiment, the first threshold value is equal to the second threshold value. 

At step 1906, client 602 outputs (to user notification/report process 714), an analysis 
indicating that the Internet address represents a trusted web page. After step 1906, the operation 
25 returns to step 1902. 

Referring again to step 1916, if client 602 determines that the score is not less than the 
second threshold value, the score indicates that the web page associated with the Internet address 
is inconclusively either a trusted web page or a mistrusted web page. Accordingly, the Internet 
address represents a neutral web page, and the operation continues to a step 1918. 
30 At step 1918, client 602 outputs (to user notification/report process 714) an analysis 

indicating that the Internet address represents a neutral web page. After step 1918, the operation 
returns to step 1902. 
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Fig. 20 is a flowchart of operation of user notification/report process 714 executed by 
client 602. At a step 2002, the operation self-loops until client 602 determines that it has 
received an analysis from analysis process 710. In response to client 602 determining that it has 
received an analysis from analysis process 710, the operation continues to a step 2004. 
5 At step 2004, client 602 determines whether the received analysis indicates that the 

Internet address (associated with the analysis) represents a trusted web page. If so, the operation 
continues to a step 2006, where client 602 outputs a screen (e.g., screen 1300) to a display device 
(e.g., display device 208), and/or outputs audio signals to speakers (e.g., internal speakers of 
computing system 200), indicating that the Internet address (associated with the analysis) 

10 represents a trusted web page. After step 2006, the operation returns to step 2002. 

Conversely, if the received analysis indicates that the Internet address (associated with 
the analysis) does not represent a trusted web page, the operation continues from step 2004 to a 
step 2008. At step 2008, client 602 determines whether the received analysis indicates that the 
Internet address (associated with the analysis) represents a mistrusted web page. If so, the 

1 5 operation continues to a step 20 1 0. 

At step 2010, client 602 5 s computer outputs a screen (e.g., screen 1200) to a display 
device (e.g., display device 208), and/or outputs audio signals to speakers (e.g., internal speakers 
of computing system 200), indicating that the Internet address (associated with the analysis) 
represents a mistrusted web page. After step 2010, the operation continues to step 2014. 

20 Referring again to Fig. 12, a display device (e.g., display device 208) displays screen 

1200 in response to client 602 outputting a signal indicating that the Internet address represents a 
mistrusted web page. Screen 1200 includes tool bar 1202, which is a region of screen 1200. 
Likewise, screen 1300 (Figs. 13 and 14) includes tool bar 1304, which is a region of screen 1300. 
As shown in Figs. 12, 13 and 14, screens 1200 and 1300 include distinct respective 

25 messages, in response to whether an Internet address represents: (a) a mistrusted web page (as 
shown in tool bar 1202 of Fig. 12); (b) a trusted web page (as shown in tool bar 1304 of Figs. 13 
and 14); or (c) a neutral web page. 

Screen 1200 also includes a dialog box 1204, which is a region of screen 1200 for 
displaying various information to a user (e.g., human user 604) about a mistrusted web page. 

30 Dialog box 1204 includes buttons 1206, 1208, 1210, and 1212, respectively clickable by the user 
for selectively causing client 602 to perform various operations. For example, in response to the 
user clicking button 1206, client 602 causes web browser 704 to display the user's pre-defined 
homepage. In response to the user clicking button 1208, client 602 causes web browser 704 to 
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display the mistrusted web page that is represented by the Internet address. In response to the 
user clicking button 1210, client 602 closes web browser 704 (e.g., ceases executing web 
browser 704). In response to the user clicking button 1210, client 602 outputs the Internet 
address (representing a mistrusted web page) to security provider 120 through network 118. 
5 In an alternative embodiment, in response to client 602 determining that the Internet 

address represents a mistrusted web page, the display device of client 602 does not display 
dialog box 1204, but instead displays a message (in tool bar 1202) indicating that the Internet 
address represents a misrepresented web page. In at least one version of such alternative 
embodiment, client 602 does not display the web page (represented by the Internet address) in 

10 web browser 704. 

Referring again to Fig. 20, at step 2014, client 602 determines whether it is specified to 
report the Internet address to a security provider (e.g., security provider 120). If so (e.g., if user 
has clicked button 1210), the operation continues to step 2016. At step 2016, client 602 outputs 
the Internet address to a security provider (e.g., security provider 120) through network 1 18. If 

15 client 602 determines at step 602 that it is not specified to report the Internet address to a security 
provider, the operation returns to step 2002. 

Referring again to step 2008, if client 602 determines that the received analysis indicates 
that the Internet address (associated with the analysis) does not represent a mistrusted web page, 
the operation continues to a step 2012. At step 2012, client 602 outputs a screen (e.g., screen 

20 1300) to a display device (e.g., display device 208), and/or outputs audio signals to speakers 

(e.g., internal speakers of computing system 200), indicating that the Internet address (associated 
with the analysis) represents a neutral web page. After step 2012, the operation continues to step 
2014. 

Referring again to Fig. 2, computer-readable medium 212 is a floppy diskette. 

25 Computer-readable medium 212 and computer 204 are structurally and functionally interrelated 
with one another as described further hereinbelow. Each IHS of the illustrative embodiment is 
structurally and functionally interrelated with a respective computer-readable medium, similar to 
the manner in which computer 204 is structurally and functionally interrelated with computer- 
readable medium 212. In that regard, computer-readable medium 212 is a representative one of 

30 such computer-readable media, including for example but not limited to storage device 211. 

Computer-readable medium 212 stores (e.g., encodes, or records, or embodies) functional 
descriptive material (e.g., including but not limited to software (also referred to as computer 
programs or applications) and data structures). Such functional descriptive material imparts 
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functionality when encoded on computer-readable medium 212. Also, such functional 
descriptive material is structurally and functionally interrelated to computer-readable medium 
212. 

Within such functional descriptive material, data structures define structural and 
5 functional interrelationships between such data structures and computer-readable medium 212 
(and other aspects of computer 204, computing system 200 and system 100). Such 
interrelationships permit the data structures' functionality to be realized. Also, within such 
functional descriptive material, computer programs define structural and functional 
interrelationships between such computer programs and computer-readable medium 212 (and 

10 other aspects of computer 204, computing system 200 and system 100). Such interrelationships 
permit the computer programs 5 functionality to be realized. 

For example, computer 204 reads (e.g., accesses or copies) such functional descriptive 
material from computer-readable medium 212 into the memory device of computer 204, and 
computer 204 performs its operations (as described elsewhere herein) in response to such 

1 5 material which is stored in the memory device of computer 204. More particularly, computer 
204 performs the operation of processing a computer application (that is stored, encoded, 
recorded or embodied on a computer-readable medium) for causing computer 204 to perform 
additional operations (as described elsewhere herein). Accordingly, such functional descriptive 
material exhibits a functional interrelationship with the way in which computer 204 executes its 

20 processes and performs its operations. 

Further, the computer-readable medium is an apparatus from which the computer 
application is accessible by computer 204, and the computer application is processable by 
computer 204 for causing computer 204 to perform such additional operations. In addition to 
reading such functional descriptive material from computer-readable medium 212, computer 204 

25 is capable of reading such functional descriptive material from (or through) network 112 which 
is also a computer-readable medium (or apparatus). Moreover, the memory device of computer 
204 is itself a computer-readable medium (or apparatus). 

Although illustrative embodiments have been shown and described, a wide range of 
modification, change and substitution is contemplated in the foregoing disclosure and, in some 

30 instances, some features of the embodiments may be employed without a corresponding use of 
other features. 
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CLAIMS 

What is claimed is: 

1 . A method performed by an information handling system, the method comprising: 
5 . determining whether a resource is likely misrepresented as a trusted resource within a 

global computer network. 

2. The method of claim 1 3 wherein the resource is likely misrepresented by a content 
of a web page. 

10 

3. The method of claim 2, wherein the content is an information entry field 
embedded in the web page. 

4. The method of claim 2, wherein the web page is a first web page, and wherein the 
1 5 content is an address of a second web page. 

5. The method of claim 4, wherein the address is a hyperlink embedded in the first 
web page. 

20 6. The method of claim 1, wherein the resource is likely misrepresented by a content 

of an electronic message. 

7. The method of claim 6, wherein the content is an information entry field 
embedded in the electronic message. 

25 

8. The method of claim 6, wherein the content is an address of a web page. 

9. The method of claim 8, wherein the address is a hyperlink embedded in the 
electronic message. 

30 

10. The method of claim 6, wherein the content is a source address of the electronic 
message. 

1 1 . The method of claim 1, wherein the resource is a web page. 
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12. The method of claim 11, wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

analyzing an address of the web page. 

13. The method of claim 12, wherein the analyzing comprises: 

in response to determining that the address points to a known trusted web page, 
determining that the web page is not misrepresented as a trusted resource. 

14. The method of claim 12, wherein the analyzing comprises: 

in response to determining that the address points to a known mistrusted web page, 
determining that the web page is likely misrepresented as a trusted resource. 

1 5 . The method of claim 1 1 , wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

analyzing a content of the web page. 

16. The method of claim 15, wherein the analyzing comprises: 

in response to determining that the content includes a predetermined content, determining 
that the web page is likely misrepresented as a trusted resource. 

17. The method of claim 16, wherein the predetermined content is a request for 
financial information. 

18. The method of claim 17, wherein the financial information is information about a 
bank account. 

19. The method of claim 17, wherein the financial infonnation is information about a 
credit card account. 

20. The method of claim 1 1, wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

analyzing a layout of the web page. 
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21 . The method of claim 20, wherein the analyzing comprises: 

in response to determining that the layout is similar to a layout of a known mistrusted 
web page, determining that the web page is likely misrepresented as a trusted resource. 

22. The method of claim 1 1 , wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

analyzing information associated with the web page. 

23. The method of claim 22, wherein the web page is part of a website, and wherein 
analyzing the information comprises: 

determining an age of the website. 

* 

24. The method of claim 22, wherein the web page is part of a website, and wherein 
analyzing the information comprises: 

determining a size of the website. 

25. The method of claim 22, wherein the web page is part of a website, and wherein 
analyzing the information comprises: 

determining a number of hyperlinks to the website by a known trusted resource. 

26. The method of claim 1 1 , wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

outputting a signal to a computing system that hosts the web page, and analyzing the 
computing system's response thereto. 

27. The method of claim 1 1 , wherein determining whether the resource is likely 
misrepresented as a trusted resource comprises: 

performing at least two of the following operations: 
analyzing an address of the web page; 
analyzing a content of the web page; 
analyzing a layout of the web page; 
analyzing information associated with the web page; and 



28 



WO 2004/055632 



PCT/US2003/039359 



outputting information to the web page and analyzing the web page's response 
thereto; and 

in response to the performed operations, determining a score indicative of whether the 
resource is likely misrepresented as a trusted resource. 

5 

28. The method of claim 27, wherein the performing comprises performing at least 
three of the operations. 

29. The method of claim 27, wherein the performing comprises performing at least 
1 0 four of the operations. 

30. The method of claim 27, wherein the performing comprises performing at least 
five of the operations. 

15 31. A system, comprising: 

an information handling system for determining whether a resource is likely 
misrepresented as a trusted resource within a global computer network. 

32. The system of claim 31, wherein the resource is likely misrepresented by a 
20 content of a web page. 

33. The system of claim 32, wherein the content is an information entry field 
embedded in the web page. 

25 34. The system of claim 32, wherein the web page is a first web page, and wherein 

the content is an address of a second web page. 

35. The system of claim 34, wherein the address is a hyperlink embedded in the first 
web page. 

30 

36. The system of claim 3 1 , wherein the resource is likely misrepresented by a 
content of an electronic message. 
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37. The system of claim 36, wherein the content is an information entry field 
embedded in the electronic message. 

38. The system of claim 36, wherein the content is an address of a web page. 

39. The system of claim 38, wherein the address is a hyperlink embedded in the 
electronic message. 

40. The system of claim 36, wherein the content is a source address of the electronic 
message. 

4 1 . The system of claim 3 1 , wherein the resource is a web page. 

42. The system of claim 41, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing an address of the web page. 

43. The system of claim 42, wherein the information handling system is for analyzing 
an address of the web page by at least: 

in response to determining that the address points to a known trusted web page, 
determining that the web page is not misrepresented as a trusted resource. 

44. The system of claim 42, wherein the information handling system is for analyzing 
an address of the web page by at least: 

in response to determining that the address points to a known mistrusted web page, 
determining that the web page is likely misrepresented as a trusted resource. 

45. The system of claim 41 , wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing a content of the web page. 

46. The system of claim 45, wherein the information handling system is for analyzing 
a content of the web page by at least: 
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in response to determining that the content includes a predetermined content, determining 
that the web page is likely misrepresented as a trusted resource. 

47. The system of claim 46, wherein the predetermined content is a request for 
5 financial information. 

48. The system of claim 47, wherein the financial information is information about a 
bank account 

10 49. The system of claim 47, wherein the financial information is information about a 

credit card account. 

50. The system of claim 41, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

1 5 analyzing a layout of the web page. 

5 1 . The system of claim 50, wherein the information handling system is for analyzing 
a layout of the web page by at least: 

in response to determining that the layout is similar to a layout of a known mistrusted 
20 web page, determining that the web page is likely misrepresented as a trusted resource. 

52. The system of claim 41, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing information associated with the web page. 

25 

53. The system of claim 52, wherein the web page is part of a website, and wherein 
the information handling system is for analyzing information associated with the web page by at 
least: 

determining an age of the website. 

30 

54. The system of claim 52, wherein the web page is part of a website, and wherein 
the information handling system is for analyzing information associated with the web page by at 
least: 
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determining a size of the website. 

55. The system of claim 52, wherein the web page is part of a website, and wherein 
the information handling system is for analyzing information associated with the web page by at 
least: 

determining a number of hyperlinks to the website by a known trusted resource. 

56. The system of claim 41, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

outputting a signal to a computing system that hosts the web page, and analyzing the 
computing system's response thereto. 

57. The system of claim 41 , wherein the iriformation handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by at least: 

performing at least two of the following operations: 
analyzing an address of the web page; 
analyzing a content of the web page; 
analyzing a layout of the web page; 
analyzing information associated with the web page; and 
outputting information to the web page and analyzing the web page's response 
thereto; and 

in response to the performed operations, determining a score indicative of whether the 
resource is likely misrepresented as a trusted resource. 

58. The system of claim 57, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by performing at 
least three of the operations. 

59. The system of claim 57, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by performing at 
least four of the operations. 
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60. The system of claim 57, wherein the information handling system is for 
determining whether the resource is likely misrepresented as a trusted resource by performing at 
least five of the operations. 

61. A computer program product, comprising: 

a computer program processable by an information handling system for causing the 
information handling system to determine whether a resource is likely misrepresented as a 
trusted resource within a global computer network; and 

apparatus from which the computer program product is accessible from the computer- 
readable medium. 

62. The computer program product of claim 6 1 , wherein the resource is likely 
misrepresented by a content of a web page. 

63. The computer program product of claim 62, wherein the content is an information 
entry field embedded in the web page. 

64. The computer program product of claim 62, wherein the web page is a first web 
page, and wherein the content is an address of a second web page. 

65. The computer program product of claim 64, wherein the address is a hyperlink 
embedded in the first web page. 

66. The computer program product of claim 61, wherein the resource is likely 
misrepresented by a content of an electronic message. 

67. The computer program product of claim 66, wherein the content is an information 
entry field embedded in the electronic message. 

68. The computer program product of claim 66, wherein the content is an address of a 
web page. 



33 



WO 2004/055632 



PCT/US2003/039359 



69. The computer program product of claim 68, wherein the address is a hyperlink 
embedded in the electronic message. 

70. The computer program product of claim 66, wherein the content is a source 
address of the electronic message. 

71. The computer program product of claim 61, wherein the resource is a web page. 

72. The computer program product of claim 7 1 , wherein the computer program is 
processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing an address of the web page. 

73. The computer program product of claim 72, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
analyze an address of the web page by at least: 

in response to detennining that the address points to a known trusted web page, 
determining that the web page is not misrepresented as a trusted resource. 

74. The computer program product of claim 72, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
analyze an address of the web page by at least: 

in response to determining that the address points to a known mistrusted web page, 
determining that the web page is likely misrepresented as a trusted resource. 

75. The computer program product of claim 7 1 , wherein the computer program is 
processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing a content of the web page. 

76. The computer program product of claim 75, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
analyze a content of the web page by at least: 
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in response to determining that the content includes a predetermined content, determining 
that the web page is likely misrepresented as a trusted resource. 

77. The computer program product of claim 76, wherein the predetermined content is 
5 a request for financial information. 

78. The computer program product of claim 77, wherein the financial information is 
information about a bank account. 

10 79. The computer program product of claim 77, wherein the financial information is 

information about a credit card account. 

80. The computer program product of claim 7 1 , wherein the computer program is 
processable by the information handling system for causing the information handling system to 

1 5 determine whether the resource is likely misrepresented as a trusted resource by at least: 

analyzing a layout of the web page. 

8 1 . The computer program product of claim 80, wherein the computer program is 
processable by the information handling system for causing the information handling system to 

20 analyze a layout of the web page by at least: 

in response to determining that the layout is similar to a layout of a known mistrusted 
web page, determining that the web page is likely misrepresented as a trusted resource. 

82. The computer program product of claim 7 1 , wherein the computer program is 
25 processable by the information handling system for causing the information handling system to 

determine whether the resource is likely misrepresented as a trusted resource by at least: 
analyzing information associated with the web page. 

83. The computer program product of claim 82, wherein the web page is part of a 
30 website, and wherein the computer program is processable by the information handling system 

for causing the information handling system to analyze information associated with the web page 
by at least: 

determining an age of the website. 
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84. The computer program product of claim 82, wherein the web page is part of a 
website, and wherein the computer program is processable by the information handling system 
for causing the information handling system to analyze information associated with the web page 

5 by at least: 

determining a size of the website. 

85. The computer program product of claim 82, wherein the web page is part of a 
website, and wherein the computer program is processable by the information handling system 

10 for causing the information handling system to analyze information associated with the web page 
by at least: 

determining a number of hyperlinks to the website by a known trusted resource. 

86. The computer program product of claim 7 1 , wherein the computer program is 

1 5 processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by at least: 

outputting a signal to a computing system that hosts the web page, and analyzing the 
computing system's response thereto. 

20 87. The computer program product of claim 71, wherein the computer program is 

processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by at least: 
performing at least two of the following operations: 
analyzing an address of the web page; 
25 analyzing a content of the web page; 

analyzing a layout of the web page; 
analyzing information associated with the web page; and 
outputting information to the web page and analyzing the web page's response 
thereto; and 

30 in response to the performed operations, determining a score indicative of whether the 

resource is likely misrepresented as a trusted resource. 
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88. The computer program product of claim 87, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by performing at 
least three of the operations. 

89. The computer program product of claim 87, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by performing at 
least four of the operations. 

90. The computer program product of claim 87, wherein the computer program is 
processable by the information handling system for causing the information handling system to 
determine whether the resource is likely misrepresented as a trusted resource by performing at 
least five of the operations. 

91. A method performed by an information handling system ("IHS")> the method 
comprising: 

outputting an indication of whether a resource within a global computer network is 
recognized as a known trusted resource. 

92. The method of claim 9 1 , wherein the outputting comprises: 

outputting the indication of whether the resource is recognized as one of the following: a 
known trusted resource and a known mistrusted resource. 

93 . The method of claim 9 1 , wherein the outputting comprises : 

in response to the resource being recognized as a known trusted resource, outputting the 
indication that the resource is recognized as a known trusted resource. 

94. The method of claim 9 1 , wherein the outputting comprises: 

in response to the resource being recognized as a known mistrusted resource, outputting 
the indication that the resource is recognized as a known mistrusted resource. 

95. The method of claim 91 , wherein the outputting comprises: 
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in response to the resource being unrecognized, outputting the indication that the resource 
is unrecognized. 

96. The method of claim 91 , wherein the outputting comprises: 
5 outputting audio signals through a speaker of the MS. 

97. The method of claim 91 , wherein the outputting comprises: 
displaying the indication. 

10 98. The method of claim 97, wherein the displaying comprises: 

displaying the indication in a screen displayed by a display device of the IHS. 

99. The method of claim 98, wherein the displaying comprises: 
displaying the indication in a web browser window of the screen. 

15 

1 00. The method of claim 99, wherein the displaying comprises: 
displaying the indication in a toolbar of the web browser window. 

101. The method of claim 98, wherein the displaying comprises: 

20 displaying the indication in a portion of the screen that is allocated to display information 

of an operating system. 

102. The method of claim 101, wherein the displaying comprises: 
displaying the indication in a system tray of the portion. 

25 

1 03 . A system, comprising: 

an information handling system ("IHS") for outputting an indication of whether a 
resource within a global computer network is recognized as a known trusted resource. 

30 1 04. The system of claim 1 03 , wherein the IHS is for outputting the indication by 

outputting the indication of whether the resource is recognized as one of the following: a known 
trusted resource and a known mistrusted resource. 
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105. The system of claim 103, wherein the IHS is for outputting the indication by: in 
response to the resource being recognized as a known trusted resource, outputting the indication 
that the resource is recognized as a known trusted resource. 

106. The system of claim 103, wherein the IHS is for outputting the indication by: in 
response to the resource being recognized as a known mistrusted resource, outputting the 
indication that the resource is recognized as a known mistrusted resource. 

107. The system of claim 103, wherein the IHS is for outputting the indication by: in 
response to the resource being unrecognized, outputting the indication that the resource is 
unrecognized. 

108. The system of claim 103, wherein the IHS is for outputting the indication by 
outputting audio signals through a speaker of the IHS. 

109. The system of claim 103, wherein the IHS is for outputting the indication by 
displaying the indication. 

1 10. The system of claim 109, wherein the IHS is for displaying the indication by 
displaying the indication in a screen displayed by a display device of the IHS. 

111. The system of claim 110, wherein the IHS is for displaying the indication by 
displaying the indication in a web browser window of the screen. 

1 12. The system of claim 111, wherein the IHS is for displaying the indication by 
displaying the indication in a toolbar of the web browser window. 

113. The system of claim 110, wherein the IHS is for displaying the indication by 
displaying the indication in a portion of the screen that is allocated to display information of an 
operating system. 
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1 14. The system of claim 113, wherein the IHS is for displaying the indication by 
displaying the indication in a system tray of the portion. 

115. A computer program product, comprising: 

5 a computer program processable by an information handling system ("MS") for causing 

the IHS to output an indication of whether a resource within a global computer network is 
recognized as a known trusted resource; and 

apparatus from which the computer program product is accessible from the computer - 

readable medium. 

10 

116. The computer program product of claim 115, wherein the computer program 
product is processable by the IHS for causing the IHS to output the indication by outputting the 
indication of whether the resource is recognized as one of the following: a known trusted 
resource and a known mistrusted resource. 

15 

1 17. The computer program product of claim 115, wherein the computer program 
product is processable by the IHS for causing the IHS to output the indication by: in response to 
the resource being recognized as a known trusted resource, outputting the indication that the 
resource is recognized as a known trusted resource. 

20 

118. The computer program product of claim 1 1 5, wherein the computer program 
product is processable by the IHS for causing the IHS to output the indication by: in response to 
the resource being recognized as a known mistrusted resource, outputting the indication that the 
resource is recognized as a known mistrusted resource. 

25 

119. The computer program product of claim 115, wherein the computer program 
product is processable by the IHS for causing the IHS to output the indication by: in response to 
the resource being unrecognized, outputting the indication that the resource is unrecognized. 

30 120. The computer program product of claim 1 1 5, wherein the computer program 

product is processable by the IHS for causing the IHS to output the indication by outputting 
audio signals through a speaker of the IHS. 
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121. The computer program product of claim 115, wherein the computer program 
product is processable by the EHS for causing the IHS to output the indication by displaying the 
indication. 

1 22. The computer program product of claim 121, wherein the computer program 
product is processable by the IHS for causing the IHS to display the indication by displaying the 
indication in a screen displayed by a display device of the MS. 

123. The computer program product of claim 1 22, wherein the computer program 
product is processable by the IHS for causing the IHS to display the indication by displaying the 
indication in a web browser window of the screen. 

124. The computer program product of claim 123, wherein the computer program 
product is processable by the IHS for causing the IHS to display the indication by displaying the 
indication in a toolbar of the web browser window. 

125. The computer program product of claim 122, wherein the computer program 
product is processable by the IHS for causing the IHS to display the indication by displaying the 
indication in a portion of the screen that is allocated to display information of an operating 
system. 

126. The computer program product of claim 125, wherein the computer program 
product is processable by the IHS for causing the IHS to display the indication by displaying the 
indication in a system tray of the portion. 



41 



WO 2004/055632 



PCT/US2003/039359 



108 



106 



INDIVIDUAL 
CUSTOMER 



104 



E-COMMERCE 
PROVIDER 



102 



E-COMMERCE 
PROVIDER 



Fig. 1 



INDIVIDUAL 
CUSTOMER 



110 



ENTITY 
CUSTOMER 



112 



ENTITY 
CUSTOMER 



SECURITY 
PROVIDER 




114 



SPOOF 
SERVER 
=»- 



116 



SPOOF 
SERVER 



'100 



1/21 



WO 2004/055632 PCT/US2003/039359 






206 



208 




COMPUTER 



212 



I 




200 



PRINT DEVICE 



210 



TO/FROM 
NETWORK 
118 



CO 

m 

> 

i 

CD 

f— 

m 
o 

o 



FIG. 2 



2/21 



WO 2004/055632 



PCI7US2003/039359 



TO/FROM 
NETWORK 
(INDIVIDUAL 
CUSTOMERS, 

ENTITY 
CUSTOMERS) 
118 

A 



E-COMMERCE 
PROVIDER 



302 



304 



SECURITY 
ANALYST 



•306 












E-COMMERCE 








PROVIDER 
ADMINISTRATOR 


■< ► 


DATABASE 


-4 ► 





Fig. 3 



TO/FROM 
NETWORK 
(SECURITY 
PROVIDER) 
118 



3/21 



WO 2004/055632 



PCT7US2003/039359 



TO/FROM 
NETWORK 
118 



SECURITY PROVIDER 



WEB-CRAWLER 



404 



SECURITY PROVIDER 
ADMINISTRATOR 



402 



/ 



406 



HUMAN 
SYSTEM 
MANAGER 



Fig. 4 



TO/FROM 
NETWORK 
(INDIVIDUAL 
CUSTOMER, E- 
COMMERCE 
PROVIDER, ENTITY 
CUSTOMER) 
118 



4/21 



WO 2004/055632 



PCT/US2003/039359 



FROM 




Fig. 5 



5/21 



WO 2004/055632 



PCT/US2003/039359 



INDIVIDUAL 
CUSTOMER 



/ 

HUMAN USER 



604 



602 



CLIENT 



Fig. 6 



TO/FROM 
NETWORK 
118 



6/21 



WO 2004/055632 



PCT/US2003/039359 




704 




712 




UPDATE PROCESS 




714 



ANALYSIS PROCESS 



716 



MISTRUSTED WEB 
PAGES DATABASE 




TRUSTED WEB 
PAGES DATABASE 



DETECTION PROCESS 



708 



PLUGIN 



706 



TO/FROM 
NETWORK 118 AND 
* OTHER 



HARDWARE 
ELEMENTS 



Fig. 7 



7/21 



WO 2004/055632 



PCT/US2003/039359 



TO/FROM 
NETWORK- 
118 



ENTITY CUSTOMER 



/ 



810 



HUMAN 
USER 



i 



/ 

HUMAN 
USER 

4 



812 



/ 



814 



HUMAN 
USER 



A 



804 



CLIENT 



A 



806 



CLIENT 



i 



808 



CLIENT 
k 



802 



ENTITY CUSTOMER ADMINISTRATOR 



^,816 

HUMAN 
SYSTEM 
MANAGER 



Fig. 8 



TO/FROM 
NETWORK 
118 



8/21 



WO 2004/055632 PCT/US2003/039359 



J^iPairta) *£rnn u » internet aiotorer- ' -'-ik'r.yri 






.-fib Edft.&w FcraMfce* Tofifc rfcfr ";V ! - . ' !** . 45 


* 


- . t . i 


1 «. 




& • • ''■ J. 


i A<5A{*f !ft]httj2//i4.43QA4 87C -ill ^» 




w drama 




j send Money 


Request Money 


SI 




fid 


• 


'-/ 







■ 



Personal Account Verificati on - Ju*t l-p^gci Pcwonel I Bttdnsa S ii*«»™«oii*t si™ »n 



Yccr Profile inform stfcro - Thb w(P be sweassed by PayPal. Year InfoamfttJoe wiB bs kept iwirt a\4 prfvaw. asm 

and rfrtt&i 



FIrrt N.eroe; £ 



! 



902 



Ust Kerne: | 

Address t: 

Address 2z 

(optie&af) 
City; 



«Jfc**l . ^| • ***** * .v. 



4 — . —* 



--wt - - jm i.o 



State: 

Country: U.S.A. frftyfcfe ft ? Utl^ 

i t., ,„ . , frrrt Pr*ra 3 Km Privity 



Home Tclephoftdi j~ i 

* ' I ' m I l * 

Work Telephone: 
(options!) 



Yoor Emeti ftdrfress ax>i Password • Enter the e-mafi address and paw word which yon use *o Icoei &?*ypii. 



Email Add 



C 

Paw word: ![" 



credit verification - Enter the credit esrd iafamutifln whiah you use wfth PayPal, Pleue make turn that yeu have 
entered thb informafein corrrdiy, es your account wil not ba re-activated If ft. if wrong. 



ceFdbeJdeVf Name: | ~ 
Credit card Number { j _ | j _ | - [] 



t 



Zlp/Postel Code: 
Security Code: 



Expiration Date: Jmuar^_ j^j |2002f2j 



^! <5cr 9 digits) 

(On the back of your cart, toeata the fine) 3 «dlg»t numhar) 



p « ^ 



AddRlonttl SecorRy Infe« « In order to WJy nlWate ywr ecoewt wc e»k feftt teu HI i» «mo 



Social Seoirity Nwrofcw f 
IWe efl**h;£ 
«gtfcer"ff^idenNeme;[ 



1 



(^rn/ad/rmJ 



l*?pmg Hflnte i 

ABA. NlU&Dftf I 

tecwuitType ffchacfetng 

Savings 
Routtnp Number I. Y 



Ct«nk braoth wimfcir) 



Thu i* (hi narao*? Iee«t«l b«wtcfi the i& tribal*. 



AcceutUPfn: 



j (4- tfigi t numbsr * m^E ester) 



Account Numbers J7! " ~ . -,.. t ,„-,.i 11 ' 

Tmcaflr comas btfere the r symhol. Its exert lecetlen end> number ef 4ajM varies 
from back bmk. 

Use the imaga betow to enter your account number And routing number. 

• iLSLCueeftBiiftpie 

jnr •"• 'f ' .:. V..;;. '.;?;{■ ;|;1U 



CP 

m 

> 
03 

o 

o 

T5 



By dkklns 'Continue*,. 2 aoree te be bound by Paypafc uwr ■ag^rment. urgf ag^mgnt.' SgnUp — 904 



Fig. 9 

9/21 



WO 2004/055632 



PCT/US2003/039359 




10/21 



WO 2004/055632 PCT/US2003/039359 




CD 

m 

CP 



CD 

m 
O 

o 




D) 

Ll 



11/21 



WO 2004/055632 PCT/US2003/039359 



o 

33 



M * 

1ft 

ft X L Ffii 

• •■•■V 



HI fr* 1 

• -o 

;> : 

•25 



i i I j ■ 
'111 

■ E 1 f i r 



"MS 
I, .1 

jj.. 
■I 1 .' 



I 



. . 1 v. . 



•IM J ; 



_ i 1 1 1 i t * ■ 

•ml :; 5 , 

• i I j I i j ■ 
'i tr'.'l. 
: i-< • • 



I 

o> 
to 
v> 

a 

£ 

AS 

§ 



i3 



■ t 

: t 
,i i 
: I *■ 



s r 

to 

£3- 
CO 

o 

I 

ID 

c 
o 

£ . 



P 
in 



i 

HI 

it 

' M 

I'll 
■VI. 

t 



. 

"V . 

:f : 



fhi 

f: a . 



• • • .* ^o.l • 

•.••;>- : aj. • 



ten- ::• ' 



: :;4;' 



!i !! 



ili; 



--■t'- Hi': 

.r.ilt-iiS li 
. -ii ijj.. 
S . . il3. 

1 'I* ;•• . r t 





i * — — . - -< 



o 



1 



t-l 



8 

o 

< 



-5 m 

V > 

JZ o 

e ^: 

n « 

« ii 

£ I 

•o Si 

c o 



35 

II 





53 




w 
a) 




"S 
W 


i 
<** 


73 
CD 

*C 







~ ■ ■ > 

"«'' ''i 



c 

3 
O 



| 7-8 

i:i , ■ *S j 

Q 



c 
3 

o 
u 
o 

< 



IS 

E 

, ID 
■iC. 

c- 

•o. 



c 

o 
u 

c 
o 



c 

3 
O 

(J 

u ». 

to.--;,' 

oi : 
c 

!2. ■ 
o . . 

03 ' " • 

o ft 



S3 

4-1 

s 

u 



o 

O 

p 
£ 

to 

> 



i- 

> 



ui M 

: : 1 t r I I 

i ! 1 11 1 1 

jiijl] 

j > : » J : t." 

i p ! I IE 1 




^ . r 
if 

win 
-* .- 1 ., ■ i 

?! I M I 
I i 1 j ii, 

i 1 M-! : 



•C35' 

1 



IP* 

si 

!&■. 

1 5 
.r-aJ 

i!:C 



f 



D 
□ 

1 1 i mm 



c 
o 

I 



L. ' 

0) 

J !■ 

s f 

3 

z 

> . 

•£ 

.3 •; 
•o- 

CO I 

■ I 

a 

•S 1 
CO 



a 

E 

a 

Z 

'c 
'0 

TO 

:E: 

% 

-0 
X 

o. 



: • i. - ; ii'T.i 
■J:'^V'-:Q)iv ; 



3 

z 
cb 

c 

CO 

u 

a 
> 

Q 



O 

•3 



o 

JO 
CO 



I 




i 





MS 



CD 

m 

CO 



03 

m 
o 

O 

< 



Ll 



12/21 



WO 2004/055632 



PCT/US2003/039359 



* lift- — <■! 




,1 



•«{ ■ ■ -.icrrr/.-isy 

% eI— ' v§ :Si'-' ?l 

,*-": 7j l ;- l '« 
|3 f -1 




.IS*: 1 . 



CM 



13/21 



WO 2004/055632 



PCT/US2003/039359 




14/21 



WO 2004/055632 



PCT7US2003/039359 



w 
m 




15/21 



WO 2004/055632 PCT/US2003/039359 



CD 

m 



1502 



1504 

ELECTRONIC \ Y ES 
MESSAGE RECEIVED 
FOR ANALYSIS?. 



1506 




OUTPUT 
ELECTRONIC 
MESSAGE TO 

SECURITY 
PROVIDER FOR 
ANALYSIS 



1508 
YES 



OUTPUT 
INTERNET 
ADDRESS TO 

SECURITY 
PROVIDER FOR 
ANALYSIS 



> 

03 

m 
o 

c 



Fig. 15 



16/21 



WO 2004/055632 PCT/US2003/039359 



f START ^ 



1602 




YES 



OUTPUT 
ANALYSIS TO 
CUSTOMER 



NO 



1608 



STORE 
ANALYSIS IN 

LOCAL 
DATABASE 



1604 



1606 



REQUEST 
TO DISPLAY 
.ANALYSIS IN LOCAL, 
DATABASE?. 



YES 



READ ANALYSIS 
FROM LOCAL 
DATABASE 



1614 



1610 



REQUEST 
TO DISPLAY 
ANALYSIS IN REMO i 
DATABASE? 



YES 



READ ANALYSIS 
FROM REMOTE 
DATABASE 



OUTPUT 
ANALYSIS TO 
DISPLAY DEVICE 



1612 



1616 



Fig. 16 



17/21 



WO 2004/055632 



PCT/US2003/039359 




1704 



1702 



YES 



PARSE ELECTRONIC MESSAGE 
CONTENT FOR INTERNET 

ADDRESS 



NO 




YES 



1712 



YES 



INTERNET ADDRESS 
MISTRUSTED WEB PAGE 
ttABASE?. 



NO 



1714 



PERFORM INTERNET ADDRESS, 
CONTENT, LAYOUT, SITE, AND 
REACTION ANALYSES 



1710 



OUTPUT ANALYSIS TO UPDATE/ 
NOTIFICATION PROCESS THAT 
INTERNET ADDRESS REPRESENTS 
A TRUSTED WEB PAGE 



1716 



YES 



GENERATE SCORE 



1718 



1720 



SCORE >THRESHOLD 
.UE FOR MISTRUSTED 
PAGE?^ 



YES 



NO 



1724 



OUTPUT ANALYSIS TO UPDATE/ 
NOTIFICATION PROCESS THAT 
INTERNET ADDRESS REPRESENTS A 
MISTRUSTED WEB PAGE 



SCORE<THRESHOLD VALUE 
FOR TRUSTED 
PAGE 



NO 



1722 



OUTPUT ANALYSIS TO UPDATE/ 
NOTIFICATION PROCESS THAT 
INTERNET ADDRESS REPRESENTS 
A NEUTRAL WEB PAGE 



, , ; i 

Fig. 17 



18/21 



WO 2004/055632 



PCT/US2003/039359 




1802 



YES 



internet 
Address represent* 
mistrusted 
web paget^ 



NO 



1804 



YES 



INTERNET 
ADDRESS REPRESENTS 
TRUSTED 
PAGE 



NO 



1812 



YES 



1808 




OUTPUT ANALYSIS TO 
SYSTEM MANAGER 



NO 








^ 1810 






ADD TO MISTRUSTED 
WEB PAGES DATABASE 








1B14 



1816 



YES 



OUTPUT ANALYSIS TO 
SYSTEM MANAGER 



1820 



NO 




ADD TO TRUSTED WEB 
PAGES DATABASE 







1818 



OUTPUT ANALYSIS TO E- 
COMMERCE PROVIDER 



Fig. 18 



19/21 



WO 2004/055632 PCT/US2003/039359 




1902 




1908 



1910 



1906 



PERFORM INTERNET 
ADDRESS, CONTENT, 
LAYOUT. SITE, AND REACTION 
ANALYSES 



OUTPUT ANALYSIS TO USER 

NOTIFICATION/REPORT 
PROCESS THAT INTERNET 
ADDRESS REPRESENTS A 
TRUSTED WEB PAGE 




1916 



YES 



NO 



1920 



OUTPUT ANALYSIS TO USER 

NOTIFICATION/REPORT 
PROCESS THAT INTERNET 
ADDRESS REPRESENTS A 
MISTRUSTED WEB PAGE 



1918 



OUTPUT ANALYSIS TO USER 

NOTIFICATION/REPORT 
PROCESS THAT INTERNET 
ADDRESS REPRESENTS A 
NEUTRAL WEB PAGE 



j ][ 

Fig. 19 



20/21 



WO 2004/055632 



PCTYUS2003/039359 




Fig. 20 



21/21 



